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Abstract 


There is a trend of growing interest and demand for greater access of 
unmanned aircraft (UA) to the National Airspace System (NAS) as the 
ongoing development of UA technology has created the potential for 
significant economic benefits. However, the lack of a comprehensive and 
efficient UA regulatory framework has constrained the number and kinds 
of UA operations that can be performed. This report presents initial results 
of a study aimed at defining a safety-risk-based UA classification as a 
plausible basis for a regulatory framework for UA operating in the NAS. 
Much of the study up to this point has been at a conceptual high level. The 
report includes a survey of contextual topics, analysis of safety risk 
considerations, and initial recommendations for a risk-based approach to 
safe UA operations in the NAS. The next phase of the study will develop 
and leverage deeper clarity and insight into practical engineering and 
regulatory considerations for ensuring that UA operations have an 
acceptable level of safety. 


vi 


Table of Contents 


Table: OF FiGUres iis. ceecsietiseseci che i Fea hedoca se evide da veabed Saco bat vai one pau oes veces faced aed reese ped eke eh viii 
WableOt Ta Dlesin vac sive sideeasesed sect cavichacsees ch atsavgnuatevds uh otisdeh anversch extaugonnte ct lads ataaekscvesncnsevatgeuntacds sadeeahdetacteetaaes ix 
ACronyMs and: ADBreviatiONns ices Reiseet hee cesi carseles cede beds eas oooh heecoo dasseevieieeeeeevatavdds sinecesiinuivecdeeesueae X 
EXECULIVE: SUMMARY. 2iccis. ced ccen ete eaten eee ee ee ee en ee ee ee ded xi 
Te’ . "BACK SOWING eececdceceeex ced rcccaek osc Be See reeseas Sea cee e oe oha dn es CS TINEA Raw CNT han Bs TT wn NG ab ES 1 
De, POPC sees es cles tas teccetens ecu lacs stines os Ed aaten ction ecu dee g edie co de ected ducetan coco sare educa ds Petcotnatuauctton dees sueewoecnte tetees 3 
Ber APPROACH sec. sessed ccec sacle sok eed oa be eee va daa sda saa cS Noe sok Se oa eeaee Tas cae eae olie ack av aaah ee Seton ies 4 
4. Survey of Contextual TOpics ...........ccccsessssccccecessesensececececeseesseaeeeeeesceseeeaaeseeecsseseesaeaeseeeesseseasaeeeeseseeesaas 6 
4.1. Systems Engineering and Systems AnalySis .........c.ccccccscsssssssecececessesscneaeceeecessessaeseceeseesseseaeaeeeesens 7 
AD. “SVStEIM SAtetyeincecevicecGes cede eicetosltetee via ees code eztaste sd Geneve eae dees as ana Sei Bia ass 10 
4:3.» “GOVEFNMENt RESUIATION: escctecstae.cs SeccaeGuiressieteckaceesle, Hakeoian cba Tassie oadeealoe ce becenbasreseeenlas 19 
Ad... “National Airspace SyStenns tessccsccedesascetestesetevtaventucanis Ode autatentsadetedcass tecaeadvede laskatettend fedtitandetaandevs 22 
4:5. “Regulation of: Manned: Aviation isc. sacideseecee ent ce hh esate vee eveeee ave este eevee 31 
4.6. Unmanned Aircraft Technology and Applications ..........ccccccccccccssssssssecececsssesssnsseeeeseessssssteaeeeeeens 38 
4.7. Unmanned Aircraft Safety Risk ..........ccccccccccsssssssscecececsesesssaeeececsseeseaeaeeececeseeesaeaeeeesesseeseaaeaeeeeeens 47 
4.8. Considerations for Unmanned Aircraft Regulations ..........c.ccccccccsssssssecececesessesnsaeeeeecessesseneaeeeesens 51 
52. ~AMalysiss 2s cesveniteetn eevee Sivan, Baveniewehh ok GAN Ee 55 
GB. . “RECOMIMENGATIONS icih vies catenins ess beetle ana Sutt ves ches taeda dads eee ten eit daug oe teased dase be vaeevann dee ves eee ete ds ieee eee 62 
Fas ¢ SPUR AL RE MARKS 2 vctstavds Caccean Ses save cducads etc cunsitscuwstivs coca seeaececn da iv eebuaadenttay ea cans ctednds Mc chavhs cacatay Aoacuoantetate caeg 64 
B.  -REPEPENCES aac a oeeeecesceseed eae sense cseih caeteetseeie ys caved cdtvsasdbet heii ecvscetoct aveidndee ee aachieaer aussie 65 


vii 


Table 


Figure 1: 
Figure 2: 
Figure 3: 
Figure 4: 
Figure 5: 
Figure 6: 
Figure 7: 
Figure 8: 
Figure 9: 


Figure 10: 
Figure 11: 
Figure 12: 
Figure 13: 
Figure 14: 
Figure 15: 
Figure 16: 
Figure 17: 
Figure 18: 
Figure 19: 
Figure 20: 
Figure 21: 
Figure 22: 
Figure 23: 
Figure 24: 
Figure 25: 
Figure 26: 


of Figures 


Major influence paths for UA operations affecting the safety quality of the NAS............::scccceee 4 


Iterative model of the flow of activities during the StUGY .............cccesessccececessesesnsseeeeeeeseessaeaeeeesens 6 
Considerations of cost, benefit, and risk in an Undertaking ..........ccccccccssesssseceeecesessssssaeeeeeeeseesees 10 
General top-level trade-off space Of a SYStOM..........cccsecsssssceceeecessesseaeeececeseesnasaeeeeecessessasaeeeesens 10 
General model for Acceptable Level of Safety (ALOS)............ccccccccssecccesssececsesececsesseeeeseaeeeeseaaes 13 
Bow-Tie model for hazard analySis ..........cccccccsssssscccccecsssesensececececeeseseaaeeececsseesesasaeeeseessseseaeaeeeesens 15 
Bow-Tie model with prevention and protection barriers ..........cccecsssscccecesssssstaeeeeeeessesesssaeeeeeens 17 
Gost. vs-Safety Effort: [23] ciccceciiche cevecsteieceres tesveest eat eas ors hei ve easy eee averse re eevee 18 
Risk: vs:-Satety Effort [42)] s: 2% sisal ieee ieehin ias eA MA ie a Bad Ae en Rs 18 


Notional objectives hierarchy ............ccccccccccccsssessnsececececsssessaeseceeecessesssaeseeeeseessesaaeeeeeesseesesnaaeaes 21 
Risk-based analytic-deliberative process for decision-making [48]..............c.ccssessececeeeeessessaeees 21 
Operational concept view of the current NAS [90] ...........cccceessssececeeecessessaeeeeeessessesseaeeeeeeeseesees 23 
Notional depiction of major NAS Components [57]...........ccssccccccecessessssececceseessessaeseceessessessaaeees 23 
Airspace:.classitications: (91): vcnseste At esse Ath Seed ee Ath See A 25 
High-level contextual model of the NAS...........cccssscccccscsssesscseceeeeecesseseeaeseceesesssesesaeeeeeessesseseaaeees 27 
Hardiand:sott layers ofthe NAS wx se steset ccitesseaeee tiie ts cededitecd diet sslees Ra Netess teed tat eA: 28 
General process model of system transformation (Adapted from [55]) ........ccsccccccsssceceesseeeeeees 29 
NextGen ATS Operational View [93] ..........ccccccccssssscccececsssessaeseceescessesesaeseeeescessesuaeeeeeesseesesnaaeees 30 
Evolution of Part 23 Regulations [64] .............cccccssscccccecsssessnseseceeeceesesseaeseceesesesesssaeeeeeeseessesnaaees 37 
ICAO aircratt: classification... cscccecices hadi dads ceahseessadaceascdahceeestaacadscvahacesasdnceisesthcedcstinceds csbhaeeessinges 39 
Military unmanned aircraft classification and examples [69] ...........:c:cccccccecsssesssseeeeeeseessessaeees 40 
Range of DOD unmanned aircraft based on endurance and payload capacity [94] ............... 41 
Unmanned aircraft as remotely piloted aircraft [72] ........ccccccccccccssssssssececeeecessessneeeeeessessessaeees 42 
Basic:RLOS:€2HINK: (7.2): ccrecteekin ccd cde tie ik Seekonk Mie cate tan cdi cae dada Tan ave Raia eaTnaiok dec einetes 43 
BRLOS C2 link with satellite relay [72] ..........cccccessssccccecsssessnsececeeecessesssaeseeeesesssesaaeeeeeesensseseaaeass 44 
RPS-ATC communication with RPA relay [72] .......c.cccccccccsssssscecececessessaeseceeseessesssaeseeeessessessaaees 45 


Figure 27: RPS-ATC direct radio COMMUNICATION [72] ........cccccccccssssssssececececeesesneaeceeecesseseeeseeeeeeeseeseeaeeeeeens 45 
Figure 28: RPS-ATC communication through ground-based network [72] ........cccccccsesssssscecececessessstseeeesens 45 
Figure 29: Concept graphic for NASA UA Traffic Management (UTM) [96] ............cccccccccssseceessseeeeesseeeees 46 
Figure 30: ATC-RPS-GTC COMMUNICATION ............:cccsceseseseeeeeeeeeeaeaeaeaeseaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeanaea 46 
Figure 31: Unmanned aircraft in operational ENVIFONMENE ...........ccccccccccesessssssecececessesecseseeeeecessessseaeeeeeens 47 
Figure 32: Major mishap scenarios for UNMANNE AiMCraft ............ccccccccecesesseseaeeececeseessceeaeeececessessesaeeeesens 48 
Figure 33: Structural view of UAS interacting with its ENVIFONMENL ..............ccccccccecesessssssceeececessesseteaeeeesens 48 
Figure 34: 3P model of task management augmented with SRK model of behavior ..........ceeesessseeeeeeees 49 
Figure 35: Progressive scope of information relevance in the 3P model of task management [76].......... 50 
Figure 36: Sampling of regulatory products for certification and operational approval of UAS [88]......... 53 
Figure 37: Safety Continuum demanded by society [86]..............cccssscccceceesssessssecececeeseseseaeeeeecessessneaeeeesens 54 
Figure 38: ALOS components: aleatory risk and EpisteEMiC risk.........c.cccccccesssssssecececeesesesneaeeeeecessesecseseeeesens 56 
Figure 39: Major elements of a flight OPCratiOn............ccccsccccccecssssssnsececececeesesssaeeeeecessesesasaeeeeeeessessseaeeeesens 56 
Figure 40: Aircraft system performance and complexity space with increasing effectiveness..............6 58 
Figure 41: Aircraft system as a hazard in the operational EnvVirOnNMeNt ...........ccccccccsessessseeeeecessesssteseeeesens 59 
Figure 42: Achieving ALOS with multiple risk mitigation CONtrIDUTIONS ............ccccccccsessessceeeeecessessntseeeeeeens 59 


viii 


Figure 43: Achieving ALOS with environment limitations ............ccccccccccccessssessscecececessesscneaeeeeecessesenseaeeeesens 60 


Figure 44: Scope of hazard severity and complexity as AS performance and complexity increase........... 60 
Figure 45: Increasing area of unacceptable risk as AS performance and complexity increase.............06 61 
Figure 46: Relation of safety risk and cost with safety CffOFt ..........c.ccccccccsesssssssecececeeseseceseeeeecessessseaeeeesens 61 
Figure 47: Notional AS classification based On risk leVelS............cccsssscececessssessssecececesseseaeaeceeecessesseaeeseeens 63 
Table of Tables 

Table 1: Structure of the Federal Aviation REgulations..............cccccsssscececesessesssaeceeecessessaeaeeeeeeessessnsaeeeesens 32 
Table 2: Aircraft airworthiness Certificates .........ccccesssscecesssncecesseeeecesseeeeceeseeeecscseeeecssseeeecsssenaecssseaaeeeseeaaeess 33 
Table:3::FAR Part:23 Structure ic. cissscctecsssaccdivsescasiienachledeascceivesacedlesiacaecavha cedeveshecoevvia ceblushaccontundcacedealcdeavenacuts 35 
Table 4: Annexes to the Convention on International Civil AViation ...........ccescessecessenecesseeeeesseaeeeseeeaeens 36 
Table 5: Partial list of potential applications for Unmanned Aircraft.............cccccccccccesessssseceeeeecessessntseeeeesens 41 


Acronyms and Abbreviations 


ATC 
ATO 
ATS 
C2 

C3 
CFR 
COA 
DAA 
EASA 
FAA 
FAR 
FIT 
GDP 
GTC 
ICAO 
LOS 
NAS 
NASA 
NextGen 
NPRM 
ODU 
OTA 
POI 
RPA 
RPAS 
RPS 
SA 
SOI 
SRK 
TSE 
U.S. 
U.S.A. 
UA 
UAS 
UN 
UTM 


Air Traffic Control 

Air Traffic Organization 

Air Transportation System 

Command and Control 

Communication, Command, and Control 
Code of Federal Regulations 

Certificate of Authorization 
Detect-and-Avoid 

European Aviation Safety Agency 
Federal Aviation Administration 

Federal Aviation Regulations 

Flight Into Terrain 

Gross Domestic Product 

Ground-space Traffic Control 
International Civil Aviation Organization 
Loss of Separation 

National Airspace System 

National Aeronautics and Space Administration 
Next Generation Air Transportation System 
Notice of Proposed Rulemaking 

Old Dominion University 

Office of Technology Assessment 
Problem of Interest 

Remotely Piloted Aircraft 

Remotely Piloted Aircraft System 
Remote Pilot Station 

Systems Analysis 

System of Interest 

Skills, Rules, and Knowledge 

Traditional Systems Engineering 

United States 

United States of America 

Unmanned Aircraft 

Unmanned Aircraft System 

United Nations 

Unmanned Aircraft System Traffic Management 


Executive Summary 


The National Airspace System (NAS) is the large and complex network of airports, airways, 
and air traffic control facilities that support commercial, private, and military use of the national 
airspace. The NAS was created and has evolved to serve primarily manned aircraft operations. 
However, the ongoing development of unmanned aircraft (UA) technology has created the 
potential for significant economic benefits, and there is growing interest and demand for greater 
access of UA to the NAS. The lack of a comprehensive and efficient UA regulatory framework 
is severely constraining the number and kinds of UA operations that can be performed. The goal 
of this study is to define a safety-risk-based classification that is a suitable basis for a regulatory 


framework for unmanned aircraft in the NAS. 


This problem has a multitude of relevant dimensions. The regulations for civilian aviation 
are the fundamental governance rules for the operation of aircraft in the NAS. The development 
of aviation regulations is a complex, contextually embedded problem with a large and 
heterogeneous group of stakeholders. There are no clear boundaries to the scope of this problem. 
Subjectivity, ambiguity, uncertainty, and divergence of perspectives are all present. Many 
factors would influence a revised structure of the aviation regulatory framework, with safety- 
related risk being the primary one. The analysis must also consider relevant contextual factors 
such as current aviation regulations; status and trends in technology and industry; societal values 
and expectations; and the situation in the areas of government regulation, politics, business, and 


the economy. 


Because of these characteristics of the problem domain, it is unrealistic to expect that the 
output of this study will be conclusive. Instead, the study was aimed at moving the problem 
forward by providing a measure of clarity and insight, and leveraging these to formulate a 
recommendation for a risk-based classification for unmanned aircraft. The study was divided 


into two major parts: 


e Understand the problem: a survey of relevant contextual topics and an analysis of 


safety risk for unmanned aircraft; and 


x1 


e Provide recommendations: synthesis of available information into a UA classification 


proposal informed by safety-risk considerations and other relevant factors. 


The bulk of the study and this report was allocated to the survey of relevant areas of 


considerations. The surveyed topics include: 
e Systems engineering and systems analysis, 
e System safety, 
e Government regulations, 
e National Airspace System, 
e Regulation of manned aviation, 
e Unmanned aircraft technology and applications, 
e Safety risk of unmanned aircraft, and 
e Considerations for unmanned aircraft 


This survey was the foundation for gaining adequate understanding of the problem, and it 
was instrumental to the problem analysis. Together, the survey and the analysis provided the 


basis for the recommendations. 


Recommendation 1: The regulations should allow compliance with Acceptable Level of 
Safety (ALOS) objectives using a combination of risk mitigation contributions from the mission, 


the environment, and the aircraft system. 


This recommendation would enable approval of a wide range of activities and the full 
exploitation of the potential benefits of unmanned aviation. The implementation of mission and 
operational restrictions would allow a variety of performance and cost options for realizing UA 


applications. 


Recommendation 2: Unmanned aircraft should be classified based on an ordinal scale that 


combines hazard severity and hazard complexity. 


Xil 


Based on the safety risk analysis performed in this study, hazard severity and hazard 
complexity are the two major factors of aircraft safety risk and the required effort to ensure an 
adequate level of safety. The proposed classification is based on increasingly larger sectors of 
the hazard severity and hazard complexity space, as shown in the following figure, where class A 
aircraft have the highest potential safety risk and class C aircraft have the lowest potential safety 
risk. This classification basis is aligned with the pattern of societal concern and demand for 


safety assurance. 


Hazard Complexity 


Hazard Severity 


Proposed risk-based aircraft classification 


The feedback received to date from subject matter experts (SME) on the recommendation for 
a risk-based classification of unmanned aircraft has been positive. SMEs recommended that the 
study be continued with the purpose of identifying more specific and practical classification 
criteria and thresholds. The value of the final classification recommendations will be based on 


their usefulness to the unmanned aircraft community in industry, government, and academia. 
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1. Background 


The National Airspace System (NAS), a component of the overall U.S. transportation 
infrastructure, is a complex network of airports, airways, and air traffic control (ATC) facilities 
that support commercial, private, and military use of the U.S. airspace [1]. The goals of the NAS 
are to ensure safety of flight, prompt movement of aircraft, and cost-efficient operations. The 
main traffic services provided by the NAS include flight planning and advisory information, 
navigation and landing aids, and air traffic control. Aviation contributes to decreasing barriers to 
trade, is an engine to innovation and technological progress, and provides an infrastructure that 
keeps the U.S. competitive in the global economy [2]. Civil aviation, in particular, contributed 
an average of 5.2 percent of GDP between the years 2000 and 2012. However, aircraft noise is a 
major issue for communities near airports, and there is a general concern about aircraft pollutant 


emissions that contribute to global warming and ocean acidification [3]. 


The continued development of unmanned aircraft systems (UAS) technology is creating 
potential opportunities for significant positive impact to the United States economy. In addition 
to military applications, UAS are currently being used in a variety of civil applications, including 
agricultural monitoring, weather monitoring, aerial imaging, and law enforcement, among many 
others [4]. Market analyses indicate that the major potential markets for UAS are in precision 
agriculture and public safety. Along with potential economic benefits, there are serious concerns 
about UAS operational safety and security, and concerns about privacy, civil rights, and civil 
liberties [5]. The environmental impact of UAS operations is also an issue of concern. In 
addition, a major concern for UAS operations is that the NAS was created and has evolved 
assuming that operating aircraft are manned. Technologically, operationally, or administratively 
(i.e., from the point of view of regulations, policy, standards, capabilities, and procedures), the 
NAS is not ready for large-scale, safe, and routine UAS operations while continuing to meet the 
goals of safe, effective, and efficient operations of manned aircraft. The problem is complicated 
by the ongoing comprehensive transformation of the NAS to the NextGen Air Transportation 
System (ATS), which is intended to increase capacity, flexibility, scalability, safety, reliability, 


and security, while reducing operational costs and minimizing the environmental impact in terms 


of noise and pollution [6]. The NextGen ATS transformation plans did not envision the ongoing 


developments in UAS technology and the increased demand for UAS operations. 


The current Federal Aviation Regulations (FARs) do not provide the legal framework 
necessary for large-scale and safe integration of UA operations in the NAS. The recently 
released Part 107 of the FARs define the legal framework for small UAS (sUAS) weighing less 
than 55 pounds and a multitude of operational limitations intended to minimize the risk to other 
aircraft, people, and property [7]. For operations not covered by Part 107, UAS are granted 
access to the NAS outside of special-use airspace on a case-by-case basis under Certificates of 
Waiver or Authorization (COA) for public (i.e., government) operators, or a special 
airworthiness certificate for civil operators (i.e., everyone else, except recreational model- 
airplane operators) [8]. Not only is this a time and resource consuming approval process, but 
UAS operational access is only allowed in airspace segregated from manned aircraft traffic. 
These approvals also impose constrains on timeframe (daylight only), weather (visual 
meteorological conditional only), overflight of populated areas, and other operational factors. 
The aviation regulatory framework and approval process must continue to evolve to meet the 
demands of the UA market for less restrictive, more numerous, safe, and routine operations 
integrated into the overall context of the NAS. The regulatory framework for UA and its 
implementation should preserve the goals of the NAS, while enabling the realization of potential 


economic and societal benefits of the technology, and minimizing the negative impacts. 


The development and enactment of such changes to the FARs is a complex and dynamic 
problem with a large number of stakeholders, including the manned flight operators, aircraft 
manufacturers, airport operators, regulatory authorities, security and defense providers, 
international aviation stakeholders, the general public, and others. Many factors would influence 
a revised structure of the aviation regulatory framework, with safety-related risk in the NAS 


being a major consideration [9]. 


The National Aeronautics and Space Administration (NASA) has underway a research 
project named “Unmanned Aircraft Systems Integration in the National Airspace System” [10]. 
One of the focus areas of this study is UAS airworthiness certification standards. A main goal of 
this NASA research is the development of a risk-informed UAS classification scheme that is a 


suitable basis for a regulatory framework. Much work has been done in this area by NASA and 


many others [9] [11]. This is primarily a consensus problem that is aggravated by the contextual 
complexity (including social, economic, political, and technological aspects with both national 
and international dimensions) and the potentially strong influence that regulations would have on 


the development of unmanned aviation, the NAS, and the economy. 


2. Problem 


The regulations for civilian aviation are the fundamental governance rules for the 
operation of aircraft in the National Airspace System. The current regulatory approach for 
unmanned aircraft operating in the NAS is inadequate because of the cost, time, and effort 
needed to obtain approval for UA operations. In addition, due to safety concerns, current 
regulatory policy only allows UA operation in segregated airspace away from manned aircraft. 
The current regulatory approach does not scale to meet current and future demand for flexible, 


unrestricted, and routine UA access to the NAS. A new approach to UA regulation is needed. 
The goal of this study is: 


Define a safety-risk-based classification of unmanned aircraft that is a suitable 


basis for a regulatory framework for operation in the National Airspace System. 


In order for the output of the study to be useful, the analysis needs to be as comprehensive as 
possible in the consideration of factors relevant to the NAS, including the design, operation, and 
interaction of manned and unmanned aircraft, in addition to many contextual factors. The 
development of an effective and efficient regulatory system for UA in the NAS must consider 
the full variety of current and potential future UA designs and operations. As the primary 
purpose of the aviation regulations is to promote safe operations, UA safety risk must be a major 
factor in the definition of the regulations. Figure 1 illustrates the major influence paths by which 
UA operations can influence the safety quality measures of the NAS. Both the direct path to 
NAS safety (i.e., considering only UA operations), as well as the indirect path through 
interaction with manned aircraft operations, must be taken into consideration for a holistic safety 
perspective of the NAS. The analysis must also consider relevant contextual factors such as 


current aviation regulations; status and trends in technology and industry; societal values and 
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expectations; and the situation in the areas of government regulation, politics, business, and the 


economy. 


NAS 


WAFeTalatexe} 
Nigel geht 
Operations 


Safety 
- Outcome 


UFataat-valalexe! 
Nigelechie 
Operations 


Figure 1: Major influence paths for UA operations affecting the safety quality of the NAS 


3. Approach 


The development of aviation regulations is a complex, contextually embedded problem with 
a large and heterogeneous group of stakeholders. There are no clear boundaries to the scope of 
this problem. Subjectivity, ambiguity, uncertainty, and divergence of perspectives are all 
present. Achieving meaningful progress toward a solution to this problem requires knowledge 


and experience in a multitude of technical and sociological topics and their interrelations. 


Furthermore, because of the criticality of the regulations as a primary determinant of the 
evolution of the aviation industry and the consequent impact on the economy and society in 
general, effective problem analysis requires breadth as well as depth of understanding, as under- 
appreciated combinations of low-level or unknown factors could lead to unintended and 
undesired outcomes (i.e., emergence). Resolution of the problem can only be achieved through a 
managed, iterative, analytical, and deliberative approach involving stakeholders, analysts, and 


decision-makers in a collaborative effort of consensus building. 


Because of these characteristics of the problem domain, it is unrealistic to expect that the 
output of this study will be conclusive. Instead, the study was aimed at moving the problem 
forward by providing a measure of clarity and insight, and leveraging these to formulate a 
recommendation for a risk-based classification for unmanned aircraft. The constraints on 
available resources, primarily manpower and time, mean that this study can only provide a broad 
and necessarily incomplete perspective on the problem. A much larger effort would be needed 


for a comprehensive analysis. 


Based on the assessment of the scope and complexity of the problem, and what could 
realistically be accomplished with the available resources, the study was divided into two major 


parts: 


e Understand the problem: a survey of relevant contextual considerations and an analysis 


of safety risk for unmanned aircraft; and 


e Provide recommendations: synthesis of available information into a UA classification 


proposal informed by safety-risk considerations and other relevant factors. 


The actual execution of the study followed an iterative process closer in concept to the model 
in Figure 2. As insight and understanding improved through data collection and analysis, the 
scope, depth, and schedule of the study were recalibrated to get the most value of what could 
realistically be accomplished. The data used in this study included publically available 
documents and information sources, as well as discussions with UA and aviation regulation 


experts at NASA Langley Research Center. 


The following sections summarize the survey of contextual topics, the analysis of safety risk 
for unmanned aircraft, and the recommendations for a risk-based classification of unmanned 


aircraft. 


Situation, Problem of Interest (POI), Analysis 
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Figure 2: Iterative model of the flow of activities during the study 


4. Survey of Contextual Topics 


This section presents a summary of the survey results. Many technical and sociological 
topics are relevant to the problem of developing regulations for unmanned aircraft. For this 
study aimed at developing a risk-based classification, only a subset of topics were explored. 
Some of the topics were general and provided a basis for understanding other more specialized 
topics. Emphasis was given primarily to technical aspects of the problem from a systems 
engineering perspective. This survey served as the foundation for the analysis presented in the 


following section. 


4.1. Systems Engineering and Systems Analysis 


Many concepts from traditional systems engineering (TSE) and systems analysis (SA) were 


helpful in the development of this study. This section summarizes some of them. 


Traditional systems engineering (TSE) and systems analysis (SA), the two major 
perspectives in the engineering of systems, were both instrumental in the development of this 
study. From the TSE perspective, a system is defined as “a collection of hardware, software, 
people, facilities, and procedures organized to accomplish some common objectives” [12], and 
(traditional) systems engineering is defined as “an interdisciplinary engineering management 
process that evolves and verifies an integrated, life-cycle balanced set of systems solutions that 
satisfy customer needs” [13]. From an SA perspective, a system is defined as “a set of elements 
so interconnected as to aid in driving toward a defined goal” [14], and systems analysis is 
defined as a combination of analytic operations research (OR) and policy analysis (PA) [14] 
involving both the analysis of complex systems problems and the synthesis (i.e., design) of 
solutions. The more concrete TSE perspective is suitable for dealing with complex technological 
systems and their operation, while the more abstract SA perspective is suitable for dealing with 


complex problems involving a mix of hard technological aspects and softer sociological aspects. 


From a systems analysis perspective, the subject problem of this study can be interpreted as a 
symptom of a faulty (or imperfect) system. In a narrow sense, the boundary of the faulty system 
could be said to include only the entities directly involved in the development of aviation laws 
and regulations in the United States, namely the U.S. Congress, the President, and the FAA. 
However, a fundamental lesson from systemic thinking is to be mindful of potential systems 
analysis errors when framing the problem and the associated problem system, including false 
positive, false negative, wrong problem, wrong action, inaction, unsubstantiated inference, and 
systems of errors [15]. Avoidance of these errors requires an approach with a broad scope that 
acknowledges the soft (human) dimensions of the problem, such as social, political, 
organizational, managerial, and policy aspects. Such an approach may reveal a much higher 
level of systemic complexity than purely technological concerns, and enable the discovery of 


critical factors in the viability of a proposed problem solution. 
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A problem, defined as “an undesirable situation or unresolved matter that is significant to 
some individual or group and that the individual or group is desirous of resolving” [16], revolves 
around the needs, interests, and values of the stakeholders. A stakeholder is an individual or 
group who can affect or is affected by the outcome of an undertaking [17] [18]. The drive to 
solve a problem may come from the needs and desires of a clearly defined and possibly small 
group of individuals, but it is the stakeholders at large who will determine the acceptability and 
long-term viability of a solution. A focus on stakeholder concerns avoids a systemic error of 
solving the wrong problem. In the context of aviation regulations, the approach to the problem 
must consider the interests of those whose activities are being regulated, as well as the 
implications on those not directly involved with the regulations but who may indirectly 


experience the effects, both intended and unintended. 


The purpose of an engineered system is described in terms of the desired effect on its 
environment, both at the interface (1.e., the system output) and further downstream on the state 
of the environment (i.e., the outcome of the interaction). This effect is achieved by the flow of 
matter, energy, and/or information between the system and the environment. Internally the 
system consists of a “set of components (subsystems, segments) acting together to achieve a set 
of common objectives via the accomplishment of a set of tasks (or functions)” [12]. A function 
is a “process that transforms inputs into outputs” [12]. In an abstract sense, every purposeful 
undertaking, whether it is as an action, process, task, operation, mission, project, or enterprise, 
can be conceptualized as a system that transforms input into output. Thus, the system consumes 
resources! (i.e., there is a cost) in order to produce an output that is intended to have a desired 


effect (i.e., there is a benefit). 


However, complexity can make the output and outcome of an undertaking difficult to predict. 
There are multiple definitions of complexity. A simple definition is that complexity is the 
number (or size) and variety (i.e., number of types) of elements and relations in a system [19]. 


The Cynefin framework of system complexity defines five levels of complexity [20] [15]: 


'Tn general, resources are material (i.e., matter), energy, and information. A more concrete description of resources 
includes man-power, material, money, methods, minutes (i.e., time) and information (MSI). 
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e Simple: the relationship between cause and effect is obvious and predictable; the system 


is tightly constrained with no degrees of freedom; 


e Complicated: the relationship between cause and effect requires analysis or some form 


of investigation; the system is tightly coupled following governing constrains; 


e Complex: the relationship between cause and effect can be perceived in retrospect, but 


not in advance and it may not repeat; the system is loosely coupled; 


e Chaotic: there is no detectable relationship between cause and effect at the system level; 


the system lacks constrains and is loosely coupled; and 
e Disorder: absolute ignorance of the type of causality; total confusion; a mess. 


According to the Requisite Variety principle, as the complexity of the environment increases, 
so too must the complexity of the system increase in order to achieve a certain level of 
effectiveness (1.e., performance) [15] [21]. Furthermore, an increase in effectiveness is 
correlated with an increase in complexity [21]. As the complexity of the environment and the 
system increases, our knowledge and understanding of how the elements interact becomes 
increasingly incomplete and our ability to predict the evolution of the state is diminished [19]. In 
effect, increasing complexity is correlated with increasing uncertainty about the system and its 
environment. Risk is “the chance that an unwanted event occurs” and “taking a risk is a choice 
to gamble on an event whose outcome is uncertain” [22]. Thus, as the complexity of a system 


increases, the risk of unintended and negative consequences tends to increase too. 


Every undertaking involves considerations of cost, benefit, and risk. At a high level, the 
engineering of systems is about ensuring that the system is “designed, built, and operated so that 
it accomplishes its purpose safely in the most cost-effective way possible considering 
performance, cost, schedule [which is a kind of cost], and risk” [17]. As illustrated in Figure 3, a 
system takes in resources and returns both desired results (i.e., performance, benefits) and 
undesired results (i.e., risks). The Systems Engineering Dilemma captures the correlation 


between these [17]: 
e To reduce cost at constant risk, performance must be reduced; 


e To reduce risk at constant cost, performance must be reduced; 
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e To reduce cost at constant performance, higher risks must be accepted; 
e To reduce risk at constant performance, higher costs must be accepted. 


This tension captures the essence of systems engineering. A successfully engineered system 


achieves an acceptable balance of cost, performance, and risk (Figure 4). 


—- Benefit 
— Risk 


Cost > 


Figure 3: Considerations of cost, benefit, and risk in an undertaking 


Benefit 


Cost Risk 


Figure 4: General top-level trade-off space of a system 


4.2. System Safety 


System safety is a specialty within systems engineering concerned with the development of 
safe systems and products through the application of engineering and management principles, 
criteria, and techniques [23] [24] [25]. There are multiple conceptualizations of safety. A 
simple, non-technical definition of safety is “freedom from accident or losses” [26]. However, 
realistically, complete freedom from harmful unplanned events is not possible [25] [23]. In an 
aviation context, all system operations represent some degree of risk [23]. A more sensible way 


to think of safety is in terms of risk as “the state in which the risk of harm to persons or property 
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damage is acceptable” [27]. From the point of view of safety, risk (1.e., potential for unwanted 
outcome) refers to mishap risk, which is a composite of the severity of a mishap and the 
probability that the mishap will occur [24]. A mishap is “an unplanned [i.e., unintended] event 
resulting in death, injury, occupational illness, damage to or loss of equipment or property, or 
damage to the environment” [24]. A mishap-centered technical definition of safety is the state in 
which the mishap risk is acceptable. The term safety risk is used to distinguish safety-related 


risk from other forms of risk associated with an undertaking or operation of a system. 


Another perspective on safety is in terms of hazards. A hazard is a source of danger as a 
real or potential condition, event, or circumstance that could lead to or contribute to an 
unplanned or undesired event, such as a mishap or a state of higher mishap risk [23] [24] [25]. 
Hazard risk (or hazard level) is a composite of the hazard severity (i.e., the worst possible 
mishap that could result from the hazard given the environment in its most unfavorable state) and 
the likelihood of the hazard occurring [26]. From this perspective, safety risk is a function of the 
hazard risk, the exposure to the hazard (1.e., the duration and/or number of times that an entity is 
vulnerable to the hazard in the sense that the state of the entity depends on the state of the 


hazard), and the likelihood that exposure to the hazard will lead to a mishap. 


Risk-based safety [25] is an approach to safety based on the identification of hazards, 
analysis of risk, and mitigation of risk to an acceptable level. This approach stands in contrast to 
the prescriptive safety approach where specific features are required in a system to achieve a 
known basic level of safety [25]. To measure safety risk, severity and likelihood scales are 
constructed in a way that is meaningful to outcome criticality and stakeholder risk averseness. A 
common ordinal and qualitative severity scale used in aviation by the FAA has the levels No 
Safety Effect, Minor, Major, Hazardous, and Catastrophic, corresponding to degrees of safety- 
relevant effects on things such as the aircraft itself (e.g., effects on functional capabilities and 
safety margins), the occupants (e.g., from minor discomfort to fatalities), and the flight crew 
(e.g., workload level, physiological discomfort, and fatalities) [23]. Depending on the situation 
under consideration, a severity scale may also account for effects on air traffic control, air space 
traffic (e.g., separation between aircraft), and people on the ground. Quantitative severity scales 
for safety risk are also used based, for example, on number of fatalities [28] and cost of property 


damage. Ordinal and qualitative likelihood scales may have levels such as frequent, probable, 
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occasional, remote, and improbable [23]. Quantitative likelihood scales measure probability of 
an event in terms of frequency per unit of exposure (e.g., per flight hour, per mile traveled, or per 


flight). 


Acceptable Level of Safety (ALOS) describes the level of safety risk that is acceptable to 
stakeholders, including customers, operators, oversight authorities, society, and others. ALOS is 
determined by values and preferences applied consciously or subconsciously to considerations of 
benefits and costs of an undertaking [29] [30] [31]. The general pattern of ALOS is an inverse 
relation between the severity and the likelihood of an event (Figure 5), where there is broad 
agreement on the extreme regions of acceptable and unacceptable risk, and a transition region of 
risk acceptability that must be resolved by analytic-deliberative group decision-making 
processes. The acceptability of risk depends on objective and subjective factors, and thus, it can 
vary among individuals, groups, and societies. Some of the subjective factors that influence 


judgments of risk acceptability include [30] [32]: 
e voluntariness of assuming the risk; 
e controllability of the risk; 
e severity of the risk; 
e uncertainty averseness; 
e delay of effects; 
e availability of alternatives; 
e familiarity with the risk; 
e exposure as a necessity vs. as a luxury; 
© occupational vs. non-occupational exposure; and 


e reversibility of effects. 
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Likelihood 


Severity 


Figure 5: General model for Acceptable Level of Safety (ALOS) 


The European Aviation safety Agency (EASA) has proposed a risk hierarchy as a basis for 


assessing the acceptable level of safety risk, such that the higher a person is in the hierarchy, the 


lower the acceptable risk level is (i.e., ALOS is higher); and the lower a person is in the 


hierarchy, the more accepting they are of the risks of the activity [33]: 


1. 


2. 


6. 


Uninvolved third parties; 

Fare-paying passengers in commercial air transport; 

Involved third parties (e.g., air show spectators, airport ground workers); 
Aerial work participants and air crew involved in aviation as workers; 
Passengers and participants on non-commercial flights; and 


Private pilots on non-commercial flights. 


This hierarchy captures the general gradient of societal concern for safety and the expected 


level of governmental responsibility in ensuring an acceptable level of safety [34]. 


A risk analysis requires a description and modeling of the system of interest (SOI). The level 


of detail in the system model must be suitable for the analysis and the intended audience. In 


general, the level of detail in the description (i.e., the depth) varies inversely with the scope (i.e., 


the breadth) of the SOI [23]. A 5M system model contains the types of elements considered in 


most systems: 


Mission: the purpose or central function of the system; 
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e Man: human elements of the system involved in activities such as operations, 


maintenance, installation, etc.; 
e Machine: hardware and software of the system; 


e Media: the environment, including operational (e.g., traffic density, workload) and 


ambient (e.g., temperature, precipitation, humidity) conditions; and 
e Management: the procedures, policies, and regulations relevant to the system. 


The identification of safety hazards is necessarily a subjective and qualitative activity driven 
primarily by judgment, experience, and stakeholder and regulatory requirements. Because of 
this, it is generally impossible to ascertain the completeness of the identified hazard scenarios, 
and underappreciated and unknown scenarios and hazards may remain missing from the analysis 
[35]. Furthermore, as the complexity of the system increases, it becomes increasingly difficult to 
describe the system accurately and both epistemic (i.e., knowledge) and aleatory (i.e., variability) 
uncertainties become a concern [36]. However, the primary threat to system safety in complex 
systems is epistemic uncertainty (i.e., lack of knowledge about the system and its environment). 
An interesting and insightful observation is that “if enough were known about factors such as 
design errors to define a probability for them, the safety would be more effectively enhanced by 
removing the design error than by measuring it in order to convince someone that it will never 


cause an accident” [37]. 


The system safety discipline uses primarily qualitative risk characterization. The reason for 
this is that for a large system with many hazards, it can be cost prohibitive to quantitatively 
analyze and predict the risk for every hazard [37] [25] [38]. In addition, as the required 
analytical precision depends on the magnitude of the target level of safety, low-risk hazards can 
be adequately analyzed with a lower degree of precision than high-risk hazards [38]. In general, 
higher-severity hazards with lower-likelihood targets require qualitative and quantitative 


analyses to achieve adequate confidence in the results. 
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Figure 6: Bow-Tie model for hazard analysis 


A Bow-Tie model is a tool for structured analysis of the causes and effects of hazards. As 
illustrated in Figure 6, a Bow-Tie diagram identifies the causes of hazards and their 
consequences using, for example, fault trees and event trees. In general, the links between 


causes, hazards, and consequences are a function of the state of the system and the environment. 


The goal of the system safety process is to ensure that the safety risk profile meets the ALOS 
requirements. This can be accomplished with a balanced combination of risk mitigation 


strategies: 


e Risk Avoidance: This involves the selection of a different approach, including possibly 


not developing or operating the system and not performing the activity at all; 


e Risk Transfer: Transfer ownership and responsibility to another party who may be ina 
better position to deal with the risks. Examples of this include transferring the 
development and operation of the system to a more mature organization and acquiring an 


insurance policy to guard against financial losses due to potential mishaps; 


e Risk Assumption: This is simply accepting the risk level. This may be an acceptable 


strategy depending on cost-benefit considerations; and 


e Risk Control: This involves the implementation of strategies to mitigate (i.e., reduce) the 


risk by controlling the likelihood of hazards, their consequence, or both. 


A risk control strategy may use a combination of approaches to prevent the occurrence of 
hazards and protect against their effects. These include, in order of preference based on cost and 


effectiveness [27]: 
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1. Design for minimum risk: eliminate risks; 
2. Incorporate safety devices: reduce risks by means of safety features and checks; 


3. Provide active warning: avert the effects of a hazard by detecting the condition and 


producing adequate warning; and 


4. Develop procedures and training: prevention and protection by following prescribed 


procedures. 


These risk controls are conceptualized as managerial, system development, and operational 
barriers for hazard prevention and protection (Figure 7). One concern with this approach is that 
as the complexity and criticality (i.e., hazard severity) of the system increases, many more paths 
of potential causes and consequences of hazards become relevant to ensuring that the required 
level of safety is achieved, simply because a much lower likelihood of safety-related events is 
required. In effect, the fault trees of hazard causes and the event trees of hazard consequences 
become both wider and deeper, with a consequent increase in the required number and 
sophistication of safety barriers. This leads to a possibly exponential increase in the complexity 
of the system and its administration, development, and operation. It has been observed that “if it 
weren’t for the potential failures resulting from physical faults, threats, misuse, or errors, most of 
the complexity of today’s modern systems would be unnecessary” [39]. Thus, actions intended 
to increase system safety may instead lead to reduced safety by increasing the complexity of and 
uncertainty about the system. At high levels of complexity and criticality, the safety risk profile 
of the system becomes sensitized to decisions and actions made far removed from the system, 


including staff, management, company, regulator, and government levels [40] [41]. 
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Figure 7: Bow-Tie model with prevention and protection barriers 


The positive correlation between productive complexity (i.e., for the purpose of effectiveness 
and benefits) and protective complexity (i.e., for the purpose of safety) leads to a development 
and regulatory conundrum. Figure 8 illustrates the notional relation between safety effort and 
costs [23]. As the size and rigor in the system-safety program increase, the cost of accidents due 
to an inadequate safety program decreases exponentially, but unfortunately, the cost of the 
program itself increases exponentially because of the scope and complexity of the effort. This 
high cost of ensuring a safe system reduces the incentive of manufacturers to develop innovative 
systems that would reduce the risk of accidents, simply because the cost to the manufacturer 
would outweigh the benefits. As shown in Figure 9, the safety effort exponentially reduces the 
safety risk due to inadequacies of the safety program, but the risk of accidents increases 
exponentially due to lack of safety innovations as the environment evolves, which in the case of 
the NAS is due to changes like new operational procedures, airspace structure changes, new 
systems, and airport changes [42]. The challenge for NAS regulators is to achieve and preserve a 


favorable balance of cost and safety risk by managing factors such as [42]: 
e prescriptive vs. performance-based regulations; 
e standardization vs. rapid evolution of regulatory material; 


e optimize for one industry segment vs. accommodate a range of equipment and 


operations; 


e optimize airspace procedures vs. accommodate a range of capabilities and non-normal 


operation; 


e local optimum and specificity vs. global harmonization and applicability; 
e expert based operation vs. reliance on procedures and checklists; and 


e personal vs. organizational accountability. 
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Figure 8: Cost vs. Safety Effort [23] 
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Figure 9: Risk vs. Safety Effort [42] 
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4.3. Government Regulation 


Government regulation has been defined as “any government measure or intervention that 
seeks to change the behavior of individuals or groups” by giving them rights or restricting their 
behavior [43]. Also, regulation is sustained and focused control by a public agency over 
activities that are valued by a community [44]. For decades, there have been complaints from 
businesses and the public about government over-regulation, legalism (in the sense of 
prodigiously enacting laws and strictly enforcing them), inflexibility, indifference to the cost of 
compliance with regulations, and ineffectiveness of laws and regulations [45]. As a result, there 
has been a long-term push in government to adopt private sector practices of organizational 
management and operation for greater effectiveness, efficiency, transparency, and accountability. 
Other desirable attributes of regulations include independence (i.e., unbiased and objective), 
clarity (i.e., coherent, logical, and practical), proportionality (i.e., appropriate to the problem of 
concern and cost-effective), consistency (i.e., regulation should complement each other and be 
enforced consistently), and targeting (i.e., focus on defined problems and minimization of 


unintended effects) [43] [46]. 


In general, government regulations can be seen as being about the control of risks (i.e., 
potential for unintended and undesired outcomes) [44]. Government regulators have a range of 


strategies they can use to achieve their objectives including [44]: 


e command and control: i.e., legal authority is used to impose standards by prohibiting 
certain forms of conduct, demanding positive actions, or setting minimum conditions for 


participation; 


e incentives: i.e., use of contracts, grants, loans, subsidies, or other incentives for influence 


conduct; 
e harness market controls: e.g., channeling of competitive forces for desired ends; 


e disclosure: e.g., deployment of information to enable better decision-making by the 


public; 


e direct action: e.g., physical government action to control a hazard; and 
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e rights and liabilities laws: 1.e., allocated in order to create incentives and constraints on 


undesirable behavior. 


Risk-based regulation is “the prioritization of regulatory actions in accordance to the 
assessment of the risks that parties will present to the regulatory body’s achieving its objectives” 
[44]. This approach to regulations focuses on the control of relevant risks to the achievement of 
specified system-level or activity-level goals and objectives, rather than ensuring compliance 
with a set of rules. An important observation regarding risk-based regulation is that risk in this 
context refers to the general sense of the term as potential for unintended and undesired 
outcomes of an activity or undertaking, and not only the sense of safety-related risk that is the 
major focus of this report. In the case of aviation, the goals would be related to operational 
safety, performance (e.g., orderly and expeditious flow of aircraft), and cost efficiency. Another 
important observation relevant to the domain of aviation is the distinction between prescriptive 
and performance-based regulation. Prescriptive regulation specifies detailed requirements to use 
things such as methods, techniques, designs, or materials in an activity, but the rationale for these 
requirements is usually implicit. On the other hand, a performance-based (or outcome-based) 
approach to regulations specifies what the desired outcome is, and the regulated are mostly free 
to choose how to achieve the required outcome. The role of the regulator in this regime is to set 
the goals and objectives and to provide oversight to ensure that these are achieved. Many in 
industry prefer this approach because of the transparency and flexibility it enables. A more 
accurate term for this approach combining aspects of risk and performance would be risk- 


managed, performance-based regulation. 


In the nuclear industry, for example, where risk and performance-based approaches to 
regulation have been used for a long time, safety performance objectives are captured in the form 
of an objectives hierarchy consisting of goals, top-level fundamental objectives, and means 
objectives (which support the accomplishment of the fundamental objectives) (see Figure 10) 
[47] [12]. An analytic-deliberative decision-making process such as illustrated in Figure 11 is 
then followed during system development and operation to identify and evaluate risks and decide 
appropriate actions to mitigate the risks relative to the objectives [48]. A conceptually similar 
approach can be used for aviation regulation [27]. Risk-regulations are commonly seen as a 


more rational, cost-effective, controllable, transparent, and easily justified approach [44]. 
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Figure 10: Notional objectives hierarchy 
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Figure 11: Risk-based analytic-deliberative process for decision-making [48] 


However, risk-based and performance-based regulation approaches present a number of 
challenges that limit their applicability and effectiveness. One of these is the need for the 
performance goals and objectives to be measurable or calculable with a suitable level of 
precision [49]. Likewise, it must be possible to identify and adequately evaluate performance 
risks. Another challenge is being able to meaningfully compare and contrast the effectiveness of 
alternative actions [44]. These challenges are due, in part, to complexity, uncertainty, competing 
objectives, and different stakeholder perspectives [47]. Because of the limitations of purely risk- 
based evaluations, decision-making processes instead follow a risk-informed approach that 
incorporate other considerations such as multiple technical analyses; evaluation of assumptions, 
uncertainties, and sensitivities; stakeholder input; resource and schedule constraints; and other 


factors [48]. 
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4.4. National Airspace System 


The NAS was created to protect persons and property on the ground, and to establish a safe 
and efficient environment for civil, commercial, and military aviation [50]. The NAS consists of 
air navigation facilities, ATC facilities, airports, technologies, and operational rules and 
regulations (Figure 12). Today, the U.S. National Airspace System is a complex technical and 
social system embedded in the super-system of the national and international transportation 
systems. Viewed as an operational system, the NAS consumes resources (MSI) to enable aircraft 
of diverse sizes, configurations, and performance to share safely, effectively, efficiently, and 
dynamically a common airspace for a myriad of purposes such as movement of goods, policing, 
firefighting and rescue, personal and business travel, and recreation. Entry and exit from the 
airspace by commercial, private, and military aircraft takes place at a large number of 
geographically distributed airfields and airports with a wide range of sizes, traffic volumes, 
weather, and surrounding topography. The airfields and airports in the U.S. have widely varying 
available resources and levels of sophistication in local ATC capabilities and ground facilities for 
aircraft, goods, and people. Flights can range from short duration flights originating and ending 
at the same airport, to cross-country or international flights with distant starting and ending 
locations and routes that cross multiple ATC sectors that must coordinate their activities to 
ensure safe and expedient operations [51]. The major structural elements of the NAS, Le., 
airports, air traffic control, the airspace, and aircraft, all vary in capabilities and dynamically 
evolve over time as changes are introduced, for example, at airports, airspace structure, 
navigation systems, ATC systems, and operational procedures (Figure 13). In 2010, the NAS 
had 20,000 airports; 242,000 aircraft; 628,000 pilots; 16,000 air traffic controllers; and 59,000 
pieces of communication, weather, and navigation equipment; and there were about 58 million 
safe aircraft operations [52]. From a complexity perspective, the NAS has a very large 
irreducible variety in the sense that there are a large number of local cases with particular 
circumstances and conditions on the ground and in the airspace that require customized 


solutions. 
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Figure 13: Notional depiction of major NAS components [57] 
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The structure of the national airspace is a complex environment that requires highly technical 
ATC procedures [50]. In the context of the NAS regulations, there are two major categories of 
civil aircraft: commercial (including scheduled and non-scheduled transport of passengers and 
cargo) and general aviation (i.e., everything else). Aircraft operate under two categories of flight 
rules: visual (VFR) and instrument (IFR). WFR operation is permitted only when and where the 
weather is good or fair as determined by visibility and cloud ceiling; IFR operation is required 
under all other conditions. Under VFR, the pilot has primary responsible for seeing and 
maintaining safe separation from other aircraft. Under IFR, ATC exercises positive control over 
all aircraft in the controlled airspace and has primary responsibility for aircraft separation. The 
majority of commercial air traffic operates under IFR regardless of the weather, although ATC 
can delegate visual separation responsibility to IFR aircraft if the weather is favorable. IFR 
operation is allowed only if the pilot is certified for this type of operation and the aircraft 
satisfies requirements for minimum level of communication and navigation equipage. Under 
IFR operations, aircraft must file a flight plan, follow ATC instructions, and request ATC 


clearance to deviate. 


The airspace is structured into different classes of airspace as illustrated in Figure 14. These 
classes are in accordance with the International Civil Aviation (ICAO) airspace classification 


[53]. The classes of airspace are: 


e Class A: From 18,000 to 60,000 ft. mean seal level (MSL); IFR only operation; ATC 


clearance to enter; ATC-provided separation; 


e Class B: From the surface to 10,000 ft. above the surface surrounding the busiest airports 
in terms of operations or passenger enplanements; IFR and VFR operations; ATC 


clearance to enter; ATC-provided separation; 


e Class C: From the surface to 4,000 ft. above the surface surrounding airports that have an 
operational control tower, are serviced by a radar approach control, and have a certain 
rate of IFR operations or passenger enplanements; IFR and VFR operations; two-way 
radio communication with ATC required to enter and operate; ATC provides separation 
for all IFR aircraft and for VFR aircraft from IFR aircraft; Traffic information and 


avoidance advice provided upon request; 
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e Class D: From the surface to 2,500 ft. above the surface surrounding airports with an 
operational control tower; IFR and VFR operations; two-way radio communication with 
ATC required to enter and operate; ATC provides IFR — IFR separation only; Traffic 


information and avoidance advice provided upon request; 


e Class E: Controlled airspace other than A, B, C, or D; No requirement for VFR to 
contact ATC upon entry; ATC provides IFR — IFR separation only; VFR traffic 


information provided as far as practical; and 


e Class G: Uncontrolled airspace; No ATC services for IFR or VFR. 
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Figure 14: Airspace classifications [91] 


In addition to these airspace classes, there is airspace designated as Special Use where certain 
activities must be confined or limitations are imposed on aircraft not performing part of those 


activities. This space is further sub-divided into: 
e Prohibited: aircraft flight is prohibited for security or other reasons; 
e Restricted: operations are potentially hazardous and subject to restriction; 
e Military Operations Area (MOA): areas designated for military training activities; 


e Warning: similar to Restricted, but outside of U.S. jurisdiction; 
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e Alert: may contain unusual type of aerial activity such as pilot training; and 


e Controlled Firing Areas (CFA): presence of potentially hazardous activities, but these 


must be suspended if an aircraft approaches the area. 


Because of the complexity of the airspace and the need to handle contingencies, the design of 
the NAS generally favors uniformity, order, and predictability to ensure safety and efficiency. 


This is a general characteristic in the management and operation of highly complex systems [21]. 


The technical operational layer of the NAS is governed by a managerial, organizational, and 
legal structure that monitors and coordinates NAS operations; interacts with internal and external 
stakeholders to ascertain the overall performance and impact of the NAS, and to identify trends 
that might necessitate changes to the NAS; and establishes governance principles, regulations, 
and policies for every aspect of the NAS. This higher-level governing system is run and 
managed by the Federal Aviation Administration (FAA), a large administrative organization of 
the U.S. federal government with internal and external cultural and political factors and 
conditions that constrain the ability of the organization to perform and adapt in a time- and cost- 
effective manner and provide services that meet customer expectations. Successful operation of 
the NAS depends on the structure and dynamics of the interactions of both technical and 
administrative elements of the system, as well as the interactions of the system with the external 
environment and context. From an organizational standpoint, this system has formally defined 
boundaries that separate internal from external elements. However, from the point of view of 
influence on the operation and evolution of the system, the boundary is much more uncertain and 
dynamic because, as a Government-administered system, the stakeholders outside the formal 
boundary of the system hold a large degree of power (i.e., influence) over what happens within 
the system. Each of these stakeholder groups has a different perspective on the NAS, as well as 
different interests in the outputs and outcomes of the NAS. A thorough stakeholder analysis (for 
example, as proposed by [18]) is outside the scope of this report. However, it seems clear that 
there is a large number of relevant stakeholders and that they have varying degrees of power 
(i.e., ability to influence other stakeholders), legitimacy (i.e., perception that the actions of the 
stakeholder are desirable, proper, or appropriate), and urgency (i.e., claims require immediate 


attention). 
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Figure 15; High-level contextual model of the NAS 


The NAS is influenced by a complex contextual structure of resources, technology, 
information, skills, policies, regulations, economics, politics, culture, and social dynamics at 
local, state, national, and international levels. Figure 15 is a simple model of the NAS with 
administrative and operational layers, and external environmental and contextual elements that 
include government, private industry, and the public. The importance of the system context is 
that it bounds what the system is and does, and the impact it has on its environment. As such, 
the context contains much of the soft aspects of the human dimension, including organizational, 
managerial, political, policy, and social. The stakeholders are present in the NAS system itself, 
the environment, and the context. The attitude of individual stakeholders and stakeholder groups 
toward the NAS and proposed local and system-wide changes to the NAS can range from 
entirely supportive (i.e., enabling; in favor and cooperative) to entirely opposing (i.e., 


constraining; a threat and non-cooperative) 


In general, a socio-technical system such the NAS can be conceptualized in terms of hard and 
soft layers (see Figure 16). The hard layer is objective, explicit, and unitary relative to purpose 
and goals. The soft layer is subjective, tacit, and pluralistic. The hard layer contains things such 


as physical entities, technology, plans, actions, decisions, organizational structures, work 
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processes, and policies. The soft layer contains values, attitudes, intention, mood, ethics, morale, 
and culture. The hard and soft layers interact to make and implement decisions. As illustrated in 
Figure 16, more-strategic decisions made upwards are implemented downwards by more- 
operational decisions. Soft aspects tend to be more dominant upwards in the system. In general, 
each strategic decision is implemented by a multitude of lower level decisions. The outcomes of 
decisions higher in the system can have a higher impact but can also be more uncertain and the 
time between implementation and outcome can be larger. In addition, the higher layers of the 
system tend to change more slowly than the lower layers. To remain viable, the system must 
have feedback between higher and lower layers to account for implementation constraints and 


unintended down-stream effects [54]. 
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Figure 16: Hard and soft layers of the NAS 


Figure 17 shows a process model for system transformation. This model is an adaptation of 
the one proposed by Mozdzanowska et al. [55]. The transformation process receives as input the 
operational demand, the system capability options, and the values of the stakeholders. Decisions 
for system change are the result of negotiation and implementation processes aimed at 
incorporating the system capability preferences of the stakeholders in realistic implementations 
that satisfy regulatory constraints about the operation of the system. This model is generic and 
applicable to systems and subsystems. Not shown in Figure 17 are feedback paths through the 


external environment that interact with the dynamic cycles within the system and can influence 
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positively or negatively the operational demand on the system (i1.e., there can be positive or 


negative feedback through the environment). 
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Figure 17: General process model of system transformation (Adapted from [55]) 


The current NAS is one of the safest means of transportation, but the system is already 
strained and it cannot scale to meet future demand. A shortfall in NAS capacity will result in 
lost productivity, increased operational cost, higher fares, and lost value to the airlines due to the 
elimination of flights to keep delays to an acceptable level [56]. The FAA is currently working 
on the Next Generation Air Transportation System (NextGen ATS) in an effort to transform and 
modernize the NAS to meet the future capacity demands, while maintaining safety and 
protecting the environment (Figure 18). NextGen will be a comprehensive transformation of the 
NAS. The transformation to NextGen is intended to increase capacity, flexibility, scalability, 
safety, reliability, and security, while reducing operational costs and minimizing the 
environmental impact in terms of noise and pollution. Through a combination of upgrades to 
airports, ATC, and aircraft enabled by new technologies and new operational procedures, data, 


information, and policies, NextGen will introduce [57] [58]: 
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Figure 18: NextGen ATS Operational View [93] 


e collaborative air traffic management (ATM) with distributed decision-making involving 


air traffic controllers and aircraft flight crews and operators; 


e performance-based operations by which operational procedures are selected based on the 


level of performance of the aircraft; 


e reduced weather impact through enhanced weather information and forecast sharing and 


integration into ATM decision-making; 
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e high-density airport operations on the ground and in the air with reduced spacing and 
separation requirements; and 

e flexible terminals and airports by exploiting the ability of aircraft to fly precise routes to 
uncover untapped ATS capacity and increase airport throughput. 


This section provided a high-level overview of the NAS in its current state of transformation 
to improve its safety and performance for manned aircraft operations. It is in this environment 
that the push for integration of unmanned aircraft is taking place. The next section presents a 


high-level overview of regulations for manned aircraft operations. 


4.5. Regulation of Manned Aviation 


The governmental responsibilities in the regulation of aviation safety are: 

e Ensure airworthiness of aircraft; 

e Ensure the highest level of safety for public transportation; 

e Ensure a basic level of safety for passengers in aircraft used for other purposes; and 


e Ensure that aircraft can satisfy their safety-related responsibilities for mutual separation 


[34]. 
This is accomplished by: 
e Certifying aircraft and supporting ground systems; 
e Establishing operating rules; and 
e Providing or incentivizing certain capabilities [34]. 


Aviation laws, policy, regulations, and guidance material can be viewed as a form of risk 
management [34]. From this perspective, the primary regulation strategy is the establishment of 
safety-related requirements to ensure ALOS conditions in operations. As harm to people and 


property during aviation operations can be described in terms of scenarios of unsafe (i.e., 
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unintended and undesired) flow or movement of mass and energy, the regulations mitigate safety 
risks by targeting the causes and effects of such scenarios, either at the level of systems (i.e., 
whole purposeful structures) or at the level of individual elements and interactions. Certification 
in this context means approval and authorization for use, and applies to aircraft, personnel, 
operations, procedures, facilities, and equipment. The regulations address the three major kinds 


of aviation hazards: technical factors, human factors, and organizational factors [59]. 


The U.S. Federal Aviation Regulations (FARs) are contained in Title 14 of the Code of 
Federal Regulations (14 CFR) [60]. The FARs consist of 68 parts organized into volumes and 
subchapters as shown in Table 1 [61]. The regulations recognize two kinds of aircraft 
airworthiness certifications: standard and special. Table 2 lists the aircraft categories for 
airworthiness certificates, which attest that an aircraft is in condition for safe operation based on 
compliance with applicable regulations of aircraft design and manufacture. Notice that UA are 
classified as Experimental aircraft. Aircraft airworthiness regulations are extensive and detailed, 
covering most aspects of aircraft design and performance characteristics, as can be seen in Table 
3 for Part 23 of the FARs regarding airworthiness standards for Normal, Utility, Acrobatic, and 


Commuter category airplanes. 


Table 1: Structure of the Federal Aviation Regulations 


Volume | Subchapter | Content 
1 A Definitions and Abbreviations 
B Procedural Rules 
C Aircraft 
2 D Airmen 
E Airspace 
F Air Traffic and General Operating Rules 
G Air Carriers 
3 H Schools and Other Certified Agencies 
| Airports 
J Navigational Facilities 
K Administrative Regulations 
L-M Reserved 
N Risk Insurance 
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Table 2: Aircraft airworthiness certificates 


Airworthiness | Category Characteristics 
Certificate 
Classification 
Standard Normal e Maximum takeoff weight of 12,500 Ibs. 
(Airplane) e Maximum passenger seating capacity of 9 
Utility e Maximum takeoff weight of 12,500 Ibs. 
e Maximum passenger seating capacity of 9 
Acrobatic e Maximum takeoff weight of 12,500 lbs. 
e Maximum passenger seating capacity of 9 
Commuter e Multiple engines 
e Maximum takeoff weight of 19,000 Ibs. 
e Maximum passenger seating capacity of 19 
Transport e Multiple engines 
(Airplane) e Maximum takeoff weight greater than 19,000 Ibs. 
e Maximum passenger seating capacity greater than 19 
Manned Free e = Lighter-than-air aircraft that is not engine driven, and that 
Balloons sustains flight through the use of either gas buoyancy or an 
airborne heater 
Normal e Maximum takeoff weight of 7,000 Ibs. 
(Rotorcraft) e Maximum seating capacity of 9 
Transport Category A: 
(Rotorcraft) e Maximum takeoff weight of 20,000 Ibs. 
e Seating capacity of 10 or more 
Category B: 
e Maximum takeoff weight greater than 20,000 lbs. 
e Maximum seating capacity of 9 
Special class e = Aircraft for which airworthiness standards have not been 
issued (e.g., gliders, airships, and other nonconventional 
aircraft) 
Special Primary e Maximum takeoff weight of 2700 Ibs. (3375 Ibs. if seaplane) 
e Maximum seating capacity of 4 
e Unpressurized cabin 
Restricted e Maximum takeoff weight of 12,500 lbs. 
(Airplanes) e Operated under the limitations for the intended use: 
Agricultural, Forest and wildlife conservation, Aerial 
surveying, Patrolling (pipelines, power lines), Weather 
control, Aerial advertising, Other operations specified by 
the FAA 
Multiple e Multiple airworthiness certificates 
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Airworthiness | Category Characteristics 
Certificate 
Classification 
Light-Sport e —_ Light-sport aircraft, other than a gyroplane, kit-built, or 
transitioning ultralight like vehicle; includes Airplanes, 
Gliders, Gyroplanes, Powered parachutes, Weight-shift- 
control aircraft (trikes), Lighter-than-air aircraft (balloons 
and airships) 
e Maximum weight of 1,320 lbs. for landplanes and 1,430 Ibs. 
for seaplanes 
e Maximum airspeed of 120 knots 
e Maximum seating capacity of 2 
e Maximum number of engines: 1 
Limited e Issued to operate surplus military aircraft converted for 


civilian use 
Limitations imposed as necessary for safe operation 


Experimental 


Purpose: 


Research and development 

Showing compliance with regulations 
Crew training 

Exhibition 

Air racing 

Market surveys 

Unmanned aircraft 

Optionally operated aircraft 
Amateur-built aircraft 

Kit-built aircraft 


Special Flight e Special-purpose flight of an aircraft that is capable of safe 

Permit flight (e.g., Flying the aircraft to a base where repairs, 
alterations, or maintenance are to be performed, or to a 
point of storage; Delivering or exporting the aircraft; 
Production flight testing new production aircraft) 

Provisional e For special operations and operating limitations 

Restricted e Must have been used by the U.S. military 

(Rotorcraft) 
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Table 3: FAR Part 23 structure 


Part 23: Airworthiness Standards: Normal, Utility, Acrobatic, and Commuter Category Airplanes 


Subpart Sections 
A- General 
B — Flight General, Performance, Flight Characteristics, Controllability and 


Maneuverability, Trim, Stability, Stalls, Spinning, Ground and Water Handling 
Characteristics, Miscellaneous Flight Requirements 


C — Structure General, Flight Loads, Control Surface and System Loads, Horizontal Stabilizing 
and Balancing Surfaces, Vertical Surfaces, Ailerons and Special Devices, 
Ground Loads, Water Loads, Emergency Landing Conditions, Fatigue 


Evaluation 
D — Design and General, Wings, Control Surfaces, Control Systems, Landing Gear, Floats and 
Construction Hulls, Personnel and Cargo Accommodations, Pressurization, Fire Protection, 
Electrical Bonding and Lightning Protection, Miscellaneous 
E — Powerplant General, Fuel System, Fuel System Components, Oil System, Cooling, Liquid 


Cooling, Induction System, Exhaust System, Powerplant Controls and 
Accessories, Powerplant Fire Protection 


F — Equipment General, Instruments: Installation, Electrical Systems and Equipment, Lights, 
Safety Equipment, Miscellaneous Equipment 

G — Operating General, Markings and Placards, Airplane Flight Manual and Approved Manual 

Limitations and Material 

Information 


In addition to airworthiness regulations based on type of design, aircraft are classified based 
on intended use and further airworthiness requirements are applied accordingly. This 


classification in based on three factors: 
e Is the service provided for private carriage or common carriage? 
e Is the aircraft for hire or not for hire? 
e Is the aircraft small or large? [61] 


Per the FARs, an aircraft is large if it has a maximum takeoff weight greater than 12,500 Ibs. A 
common carriage aircraft offers for-hire transport service to the general public. A private 
carriage for hire offers transport service on contract to one or several selected customers. All 
aircraft including general aviation aircraft (i.e., not-for-hire private aircraft) operate under 


general operating rules in Part 91: General Operating and Flight Rules. In addition: 
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e Common carriage aircraft (i.e., airliners) provide scheduled transport services and 
operate under Part 121: Operating Requirements: Domestic, Flag, and Supplemental 


Operations; 


e Private, for-hire aircraft operate under Part 125: Certification and Operations: Airplanes 
Having Seating Capacity of 20 or more Passengers or a Maximum Payload Capacity of 


6,000 Pounds or more; and Rules Governing Persons On Board Such Aircraft; and 


e Scheduled-service, common-carriage, commuter aircraft and nonscheduled-service, 
common-carriage aircraft (referred as air taxis or air charters) operate under Part 135: 
Operating Requirements: Commuter and On Demand Operations and Rules Governing 


Persons on Board such Aircraft. 


National aviation regulations are harmonized, to the largest extend practicable, with the 
standards and recommended practices of the International Civil Aviation Organization (ICAO), a 
specialized agency of the United Nations charged with the administration and governance of the 
Convention on International Civil Aviation (Chicago Convention), which establishes agreed 
principles and arrangements for safe and orderly international aviation [62]. Table 4 lists the 


annexes to the articles of the Chicago Convention. 


Table 4: Annexes to the Convention on International Civil Aviation 


Annex 1 | Personnel Licensing Annex 10 | Aeronautical 
Telecommunications 
Annex 2 | Rules of the Air Annex 11 | Air Traffic Services 
Annex 3 | Meteorological Service for International Air | Annex 12 | Search and Rescue 
Navigation 
Annex 4 | Aeronautical Charts Annex 13 | Aircraft Accident and Incident 
Investigation 
Annex 5 | Units of Measurement to be Used in Air Annex 14 | Aerodromes (Airports) 
and Ground Operations 
Annex 6 | Operation of Aircraft Annex 15 | Aeronautical Information 
Services 
Annex 7 | Aircraft Nationality and Registration Marks | Annex 16 | Environmental Protection 
Annex 8 | Airworthiness of Aircraft Annex 17 | Security 
Annex 9 | Facilitation Annex 18 | Safe Transport of Dangerous 
Goods by Air 
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In 2009, the FAA published the results of an FAA-industry study into the adequacy of Part 
23 regulations [63]. The motivation for this study and the later recommendations by the 
Aviation Rulemaking Committee [64] was the general concern in the aviation community that 
certification costs were too high and that the regulations were inadequate for new technology and 
overly prescriptive to the point of discouraging modern safety innovations. There was general 
agreement that over time the regulations had become more comprehensive and complex driven 
by the need to ensure an adequate level of safety for larger aircraft certificated under Part 23, but 
this had created a situation in which the complexity and cost of certifying smaller aircraft had 
become a barrier to the introduction of affordable entry-level aircraft and reduced industry 
competition and innovation. As illustrated in Figure 19, Part 23 regulations h evolved to a state 
where aircraft of simple design but adequate level of safety, such as those certificated decades 
ago under earlier versions of the regulations, could not be certificated under the current 
regulations. In essence, for a long time the focus and scope of Part 23 regulations had shifted to 
address the safety concerns of larger and complex airplanes to the detriment of smaller and 
simple ones, and this was (and still is) having a major impact in the development of the general 


aviation market. 


Part 23 needs to be able to 
capture both simple aircraft as 
Majority of current well as future developments 
GA aircraft are without rewriting the code 
certified to CAR3 


Explicit requirements, This gap needs to be recaptured 
specified in regulatory code to assure that basic Part 23 
aircraft have the appropriate 
means of compliance. 


Requirements / complexity 


CAR 3 Part 23 Future Part 23 


Figure 19: Evolution of Part 23 Regulations [64] 
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These studies proposed a number of recommendations to remedy the situation. One critical 
observation from these studies was that decades ago aviation technology was such that smaller 
Part 23 aircraft were simple and slow and larger aircraft were more complex and faster, but as 
technology and designs have evolved, this is no longer the case. The existing aircraft 
classification approach based on weight and engine type has become an ineffective measure for 
aircraft capability and performance. Hence, it was recommended that Part 23 be reorganized 
based on more direct measures of airplane complexity and performance. In March of this year, 
the FAA published a Notice of Proposed Rulemaking (NPRM) that puts forth a systematic 
revision to Part 23 regulations that moves away from prescriptive regulations and towards a 
performance-based certification approach. Furthermore, this NPRM proposes a redefinition of 
aircraft categories based on passenger seating capacity and aircraft performance for aircraft with 
maximum takeoff weight no larger than 19,000 Ibs [65]. According to the NPRM, this offers a 
better approach to accommodate the large diversity of airplane performance, complexity, 
technology, intended use, and seating capacity covered under the current Part 23 regulations. 
This perspective on aircraft classification will be explored later in this report as a basis for an 


approach to UA classification. 


4.6. Unmanned Aircraft Technology and Applications 


The advent of unmanned aircraft in large numbers has created confusion about what an 
aircraft is and what aviation is about. Unmanned aircraft, especially small ones, are different 
from the common notion of aircraft, which usually means a flying machine in the form of an 
airplane, helicopter, or a variation of these and controlled by an onboard pilot. One definition of 
aviation is the operation of heavier-than-air aircraft [66], which aligns with the common notion. 
But the dictionary also gives a more general definition of aviation as the practice of flying 
aircraft [66]. The FARs define an aircraft as a device that is used or intended to be used for 
flight in the air [60]. ICAO defines an aircraft as any machine that can derive support in the 
atmosphere from the reactions of the air other than the reactions of the air against the earth’s 
surface [67]. ICAO also gives the aircraft classification shown in Figure 20. An inspection of 


this figure reveals that unmanned aircraft are not included as a separate class. Per ICAO, an 
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unmanned aircraft is an aircraft that is intended to operate with no pilot on board [67]. The 
FARs offer a similar definition of unmanned aircraft as an aircraft operated without the 
possibility of direct human intervention from within or on the aircraft [60]. Based on these 
definitions, a UA is an aircraft like any other, and what differentiates a UA from other aircraft as 
commonly understood is not any new aerodynamic principles, but simply the absence of an 
onboard human pilot to control the aircraft. In theory, any current manned aircraft could be 
flown as an unmanned aircraft if properly equipped for remote operation [68]. According to 


ICAO, in the future there may be unmanned versions of every category of aircraft [67]. 


Aircraft | Lighter-than-air Non-power-driven | Free balloon | Spherical free balloon 


aircraft Non-spherical free balloon 
Captive Spherical captive balloon 
balloon Non-spherical captive balloon 
Power-driven Airship Rigid airship 


Semi-rigid airship 
Non-rigid airship 


Heavier-than-air | Non-power-driven | Glider Land glider 
aircraft Sea glider 
Kite 
Power-driven Aeroplane Landplane 
Seaplane 
Amphibian 
Rotorcraft Gyroplane Land Gyroplane 


Sea Gyroplane 
Amphibian Gyroplane 
Helicopter Land Helicopter 

Sea Helicopter 
Amphibian Helicopter 


Ornithopter Land Ornithopter 
Sea Ornithopter 
Amphibian Ornithopter 


Figure 20: ICAO aircraft classification 


By not having to provide an environment suitable for an onboard human pilot, aircraft 
designers are free to explore new configurations, performance regimes, and missions not possible 
previously. Now aircraft can be designed based on required functionality and payload for 
potential missions, rather than the design of the cockpit [68]. Figure 21 illustrates a UA 
classification used by the U.S. Department of Defense and examples of existing and future UA. 


The classification criteria here includes aircraft weight, maximum operational altitude, and 
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maximum speed. Figure 22 illustrates the range of military UA based on endurance (i.e., flight 
duration) and payload capacity. These figures show that the scope and variety of design 
characteristics of UA (..e., size, weight, speed, altitude, range, flight duration, and others) may be 


as large as or larger than for manned aircraft. 
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Figure 21: Military unmanned aircraft classification and examples [69] 


The wide range of technical performance characteristics available to UA enables a myriad of 
applications beyond what is possible or desirable to do with manned aircraft. From the 
perspective of military applications, UA provide persistence, versatility, survivability, and 
reduced risk to human life, and may be the preferred aircraft choice for missions that are “dull, 
dirty, or dangerous” [69]. In a civilian context, there are three basic kinds of UA applications: 
surveillance (i.e., data collection), support (e.g., communication and data relay, payload drop, 


airborne refuel), and transport (of cargo or passengers) [70]. Table 5 lists some of the 
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applications for unmanned aircraft. UA must have adequate vehicle and payload capabilities to 


perform missions like these. 
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Figure 22: Range of DOD unmanned aircraft based on endurance and payload capacity [94] 


Table 5: Partial list of potential applications for unmanned aircraft 


Wildlife mapping Law enforcement 

Agricultural monitoring Border patrol 

Weather monitoring Search and rescue 

Traffic flows monitoring Fisheries protection 

Environmental monitoring Fire fighting 

Aerial imaging Emergency management 

Power line surveys Telecommunications 

Oil and gas exploration News coverage 

Freight transport Research (atmospheric, geological, ecological, etc.) 
Film making Real estate imaging and monitoring 
Construction Training 

Recreation 
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ICAO documents define the concept of a remotely piloted aircraft (RPA) as a subcategory of 
UA in which the flying pilot is not onboard the aircraft (Figure 23). This distinction is needed 
because model aircraft fall outside the provisions of the Chicago Convention and autonomous 
aircraft, although subject to the provisions of the Convention, are not expected to be able to 
integrate into the international civil aviation system (of which the U.S. NAS is a part) in the near 
future. ICAO defines autonomous aircraft as UA that do not allow pilot intervention in the 
management of the flight. Special rules apply to model aircraft in the NAS, where a model 


aircraft must satisfy requirements such as: 
e capable of sustained flight in the atmosphere; 
e operated in accordance with a community-based set of safety guidelines; 


e weighs no more than 55 lbs., unless otherwise certified through safety program 


administered by a community-based organization; 


e operated in a manner that does not interfere with and gives way to any manned aircraft; 


and 


e flown for hobby or recreational purposes [8] [68] [71]. 


Unmanned Aircraft 


Model Autonomous 
Aircraft ivcrate 


Figure 23: Unmanned aircraft as remotely piloted aircraft [72] 
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The rest of this report deals specifically with RPA UA that may have automated or semi- 
autonomous functionality, but there is always a remote pilot that can intervene in the 


management of the flight. 


An RPA UA is piloted from a remote piloting station (RPS) via a command and control (C2) 
link. An RPA, RPS and C2 link together comprise an RPA system (RPAS) [72]. The C2 link 
function can be realized with two basic architectures, depending on the structure of the physical 
data flow path: radio line-of-sight (RLOS) and beyond RLOS (BRLOS). In an RLOS 
configuration, there is direct electronic point-to-point contact between the transmitter and 
receiver as they are in mutual radio link coverage [67]. This configuration applies to visual line- 
of-sight (VLOS) operations, in which the pilot maintains direct visual contact with the RPA, and 
also RLOS operation beyond VLOS (BVLOS), where data flows directly between the RPS 
transmitter and the RPA receiver (Figure 24), or through a mediating transceiver network with 
comparable time delays. In a BRLOS configuration, the data flows through a transceiver 
network, with terrestrial, airborne, and/or orbital satellite elements (see Figure 25), and the delay 
is significantly larger than for RLOS to the extent that it can affect the time precision and the 


kinds of actions implemented through the C2 link. 
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Figure 24: Basic RLOS C2 link [72] 
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Figure 25: BRLOS C2 link with satellite relay [72] 


In (air traffic) controlled airspace, the pilot must be able to communicate and respond to ATC 
commands with effectiveness and efficiency comparable to that of manned aircraft. A number of 


communication architectures are possible, including: 
e RLOS in which the RPA serves as a relay between the RPS and ATC (Figure 26); 
e BRLOS with intermediate relay transceivers as well as relay through the RPA itself; 


e Direct radio communication between RPS and ATC (i.e., not relayed through the RPA) 
(Figure 27); 


e Direct ground communication between RPS and ATC (e.g., a telephone line); 
e RPS-ATC ground communication though a mediating network (Figure 28); and 


e Satellite-based RPS-ATC communication [72]. 
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Figure 26: RPS-ATC communication with RPA relay [72] 
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Figure 27: RPS-ATC direct radio communication [72] 
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Figure 28: RPS-ATC communication through ground-based network [72] 
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Currently there are proposals for an ATC system specifically designed for managing UA 
traffic operating near ground level in airspace normally not used by manned aircraft. NASA’s 
UAS Traffic Management (UTM) concept is an example of such a system (Figure 29) [73]. For 
the purpose of this report, this low-altitude region will be referred to as ground-space and 
includes the airspace (and the air traffic within it) and the surface topography with natural (e.g., 
mountains, trees) and manmade features (e.g., buildings, tower, bridges, etc.). ATC in this 
region will be referred to as ground-space traffic control (GTC). Thus, an RPA pilot may 


interact with ATC and/or GTC during a mission (i.e., an operation) (see Figure 30). 


Remote 
Pilot 


Figure 30: ATC-RPS-GTC communication 
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4.7. Unmanned Aircraft Safety Risk 


The operational environment of remotely piloted unmanned aircraft includes the airspace and 
the ground-space, as illustrated in Figure 31. To accomplish its mission, the UA pilot must 
navigate this environment with the help of RPS and UA sensors, as well as ATC and GTC if 
operating in traffic-controlled areas. From a safety perspective, the major concerns are mishaps 
involving manned and unmanned aircraft in the air, and people and property on the ground 
(Figure 32). Relative to the environment, the operation of the UA itself can be a hazard as the 
potential proximate cause of a mishap. In this sense, there are two scenarios of interest, with two 
subcases each: Flight Into Terrain (FIT) and Loss of Separation (LOS), both under controlled 
and uncontrolled flight [74]. Hazardous controlled flight can be due to inadequate or incorrect 
information available to the pilot and loss of situational awareness (e.g., confusion) about the 
state of the UA and the environment. Hazardous uncontrolled flight includes cases such as loss 
of C2 link, internal failure of the UA, and in-flight upset where the UA is in an uncontrollable 
attitude (e.g., upside down). 
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Figure 31: Unmanned aircraft in operational environment 
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Figure 32: Major mishap scenarios for unmanned aircraft 
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Figure 33: Structural view of UAS interacting with its environment 


For a deeper understanding of the safety-related aspects of RPA UA operation, we need a 
structural view of the UAS and its environment. This is illustrated in Figure 33. The UAS 
consists of hardware and software systems (including mechanical systems, electrical systems, 
electronic systems, hydraulic systems, avionics, and so on), as well as the flight and mission 
crew in charge of operating the UA and its payload. The environment includes the operational 
and natural environments with which the UAS must interact, both in the airspace and the ground- 


space. In this partitioned abstract view, the flows of interest between the UAS and the 
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environment include only information (i.e., data). To accomplish the mission, the pilot must 
navigate the environment using: the mission plan and procedures; information from the airspace, 
ATC, ground-space, GTC, the RPA UA, and the RPS; and the capabilities of the UAS in terms 


of aerodynamic and functional performance, including information-processing capabilities. 


According to one model, the UAS, including the pilot, RPA, and RPS, performs four top- 
level functions: Aviate, Navigate, Communicate, and Mitigate [75]. The Aviate function 
consists of the actions to control (i.e., change and stabilize) the attitude and flight path of the UA. 
The Navigate function includes all the activities for managing the desired trajectory and execute 
the mission plan. The Communicate function deals with the exchange of information (both voice 
and data) with ATC, GTC, and other aircraft. The Mitigate function manages (i.e., prevents and 
minimizes the impact of) unintended interactions and contingencies related to the operational and 
natural environments and the UAS itself. The execution of these functions must be coordinated 
to ensure overall success and safety of the mission. The UAS may incorporate automation 


systems intended to reduce the workload of the pilot in the performance of these functions. 
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Figure 34: 3P model of task management augmented with SRK model of behavior 


The 3P model, illustrated in Figure 34, describes the iterative process in managing piloting 
tasks [76]. In the Perceive step, the pilot gains situational awareness by gathering information 
relevant to the task and making sense of it. In the Process step, the pilot decides how to proceed 


based on the intent, the plan, and the current situation. In the Perform step, the pilot performs the 
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decided action to make progress toward achieving the current goal. With each step, the scope of 
the world under consideration gets progressively smaller as information is ranked by criticality 


(i.e., impact and urgency) to the task and the step being performed (see Figure 35). 


In the iterative 3P process of task management, the pilot uses a mix of skill-based, rule- 
based, and knowledge-based behavior (SRK) to accomplish the mission objectives [77]. Skill- 
based behavior is mostly automatic and subconscious sensory-motor acts that process 
information from the pilot’s environment as signals representing continuous variables. Rule- 
based behavior is the semi-conscious application of existing rules or procedures (either 
empirically derived or otherwise acquired) to known situational patterns recognized by signs in 
the state of the environment. Knowledge-based behavior is mostly conscious and deliberate 
problem solving and decision making by contextualizing information about the state of the 
environment at an abstract level as symbols and deriving suitable actions to handle situations 
unlike those previously experienced. Each step-up in behavior is triggered by the demands of the 
task to deal with progressively complex and unfamiliar situations. Higher-level behaviors also 
take progressively longer time to execute. Generally, automation systems are designed to 
perform actions that require skill-based behavior and some rule-based behavior. The pilot then is 


responsible for managing the automation, including possibly taking over in case of a failure. 


Perceive 


Figure 35: Progressive scope of information relevance in the 3P model of task management [76] 
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UAS mishaps, both FIT and LOS, may be caused by human error or technical system 
failures. Human error accounts for 80% of all aviation mishaps and technical system failures 
account for 20%. [78]. Human errors can be errors in perception, processing, or performance, 
either slips or lapses in skill-based behavior, or mistakes in rule-based and knowledge-based 
behavior [79]. Human error can also be due to routine or exceptional violations of established 
operational norms and procedures. In general, the higher the amount and complexity of the 
workload, the more likely that human error will happen. Technical system failures can have a 
number of causes. These systems are usually developed using recognized international 
standards, such as ARP-4754A for systems [80] and DO-178 for software [81], and are allocated 
reliability and safety requirements suitable to their functional criticality. The major technical 
concerns for UA are detect-and-avoid (DAA) capability and lost-C2-link procedures [82]. Non- 
existing or inadequate DAA capability, either ground-based or airborne, can impact situational 
awareness and the ability of the UAS to avoid collisions, especially during VFR operation. 
Failure of the C2 link must usually be mitigated by on-board automatic contingency procedures 


and ATC or GTC procedures to protect the air traffic. 


4.8. Considerations for Unmanned Aircraft Regulations 


The NAS is a system created and managed for the benefit of society. At the system level, the 
intent is to maximize the benefits of this enterprise and to minimize the costs and undesired 
consequences of its operation. This means that primary assessment criteria for the NAS are 
safety (relative to harm to people, property, and the environment), effectiveness (e.g., capacity 
and expediency of operations), and efficiency (e.g., cost-benefit ratio). The system is expected 
to adapt to the trends in service demand and to changes in stakeholder values, preferences, and 
expectations. The evolution of the system is enabled by knowledge and technological advances, 
and it is constrained by complexity, polytely (i.e., multitude of competing goals), resources, and 


circumstances and conditions external to the system. 


The NAS is undergoing the transformation to NextGen, which is intended to achieve a step 
increase in performance to meet projected future demand in manned aviation [6]. However, the 


NextGen planning and architecture did not anticipate the demand for UAS in the NAS, and the 
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system is not suitable for the introduction of these types of aircraft [83]. Nevertheless, the 
FAA’s intent is to accommodate initially UAS operations with special procedures and 
mitigations to ensure minimum adverse impact on NAS safety and efficiency, and to gradually 
proceed toward integration as policy, regulations, standards, and operational procedures are 


developed [84]. 


Part 107 of the FARs applicable small UAS (sUAS) is the most recent step in this direction. 


Part 107 sets a multitude of operational restrictions, among them: 
e UA must weigh less than 55 pounds; 
e VLOS operation; 
e daylight operation; 
e remote pilot is allow to control only one aircraft at a time; 
e minimum weather visibility of 3 miles from the control station; 
e no flight over persons not directly participating in the operation; 
e maximum groundspeed of 100 mph; and 


e maximum altitude of 400 feet, or remain within 400 feet of a structure if flying higher 


than 400 feet above ground level; 


Part 107 requires the remote pilot to have a remote airman pilot certificate with a small UAS 
rating. Preflight inspections of the UAS are required, but airworthiness certification is not 


required. 
The issues pertaining to the integration of UA into the NAS include: 


e UAS certification: lack of experience in certifying UAS; Figure 36 given a sense of the 
scale and variety of regulatory products that must be generated to certify and approve the 


operation of UAS; 


e Operating rules and procedures for UAS: many existing operating rules and 


procedures require human vision from onboard the aircraft; 
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UA performance: UA generally do not satisfy communication, navigation, and 


surveillance (CNS) performance required in some areas of the airspace; 


UAS operational profiles: UA aerodynamic performance characteristics can be quite 


different from manned aircraft and this complicates the task of ATC; 


Inadequacy of ATM automation: ATC decision support tools are not suitable for 


managing the complexity of integrated manned and unmanned aircraft operations; 


UAS airport operations: many airports and support infrastructure are not intended nor 


suitable for handling UAS; 


UAS communication link with ATC: inadequate communication infrastructure and 


service quality; and 


UAS C2 link: signal delays and link reliability may impact UA control performance, 
responses to lost-link conditions are not consistent or predictable, and the frequency of 
lost-link conditions may have a detrimental impact in NAS traffic performance [82] [84] 


[85]. 
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Figure 36: Sampling of regulatory products for certification and operational approval of UAS [88] 


From the perspective of society, UA are simply aircraft and the expectations for safety are 
based on the perception of the potential for harm to third parties and the people involved. As a 
result, manned and unmanned aircraft exist in a common continuum of public concern and 


demand for safety assurance, as illustrated in Figure 37 [34] [42] [86]. 
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Figure 37: Safety Continuum demanded by society [86] 


In addition to technical and safety aspects of UAS operations in the NAS, other 
considerations for UA regulations include security, privacy, civil rights, civil liberties, trespass 
and nuisance concerns, preemption of state and local regulations, insurance liability, economic 
impact, noise, and pollution [5] [68] [87]. As with manned aircraft regulations, there is interest 


from regulators and industry that the regulations for unmanned aircraft be: 
e operation-centric (i.e., based on UA safety in the intended operational environment); 


e safety-risk-based (i.e., based on safety risk considerations regardless of whether the 


operation is for commercial purposes or otherwise); 
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e proportionate (i.c., safety requirements tailored to the safety risk posed by the 


operation); 
e progressive (i.e., tiered); and 


e performance-based (as opposed to prescriptive regulation) [63] [64] [88] [89]. 


5. Analysis 


The aviation regulations are the principal instrument to attain the main goal of the NAS of 
ensuring safety of flight. The structure and content of the regulations is currently, and will 
continue to be in the future, determined primarily by safety considerations. The aviation 
regulations must evolve and adapt to the changing realities and expectations of the public, 
industry, and government, but they must not change so quickly or be so complex that it creates 
an environment of uncertainty and discourages participation and innovation. In addition, at any 
point in time, the regulations must be flexible in allowing multiple means of participation and 
compliance as determined by the needs and resources of the regulated, but they must not be so 
permissive as to endanger the very goals they are intended to advance. The regulatory 
framework must also promote other major goals of the NAS, such as expediency and cost- 


efficiency, as well as accommodate other social, economic, and political interests and concerns. 


The safety concern in aviation is the potential for unintended and undesired harm to people, 
property, and aircraft, both in the air and on the ground. The degree of concern increases with 
the perceived magnitude of loss that could befall from aircraft in operation. This is captured 
(i.e., modeled) by the inverse relation between severity and likelihood of mishaps for an 
acceptable level of safety (ALOS). The severity scale must account for the objective and 
subjective dimensions of criticality and value. The likelihood scale, too, must account for 
objective and subjective dimensions of probability and uncertainty. From a technical standpoint, 
the ALOS relationship implies that both aleatory (i.e., randomness) and epistemic (1.e., systemic, 


knowledge) components of uncertainty must be accounted for. That is, the ALOS relationship 
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applies to both aleatory safety risk and epistemic safety risk (Figure 38). Ensuring aviation 


safety means that both aleatory risk and epistemic risk in operations are acceptable. 
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Figure 38: ALOS components: aleatory risk and epistemic risk 


Figure 39: Major elements of a flight operation 


A flight operation consists of four major elements: the mission, the pilot, the aircraft, and the 
environment (Figure 39). The mission includes the purpose, plan, and procedures. From 
preceding discussion, manned and unmanned aircraft exist in a common continuum of safety 
concern, and unmanned aircraft (RPA in particular) are simply aircraft with a non-conventional 


command, control, and communication (C3) arrangement. Thus, it makes sense to generalize the 
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concept of aircraft to that of aircraft system (AS) that encompasses both self-contained aircraft 
with onboard-pilot and flight systems, and unmanned aircraft with remote pilot and physically 
distributed flight systems. The environment includes the operational airspace and ground-space 


with air traffic, ATC, and GTC, as well as the natural environment. 


To accomplish the intended missions, the aircraft system must have aerodynamic and 
functional capability profiles compatible with the requirements of the missions and the 
environments in which the operations will take place. Both inadequate and excessive capabilities 
could result in unfavorable operational effectiveness and/or efficiency, as well as potential 
interaction incompatibility with the environment that could have safety and air-traffic 


performance implications. 


In general, an increase in the desired effectiveness (i.e., benefit) and efficiency (i.e., benefit- 
cost ratio) of aircraft operations is correlated with an increase in the complexity of the missions 
and the variety of operational environments, as well as an increase of the operational productive 
capabilities of the AS. Higher AS capabilities develop along the dimensions of capacity and 
sophistication of aerodynamic and functional performance. That is, increased operational 
effectiveness and efficiency implies a progressively larger space of power and refinement of AS 
flight dynamics and functions. These measures map to the safety-relevant measures of 
performance (e.g., speed, altitude, take-off weight, climb rate, turn rate) and complexity (of 
physical and functional design) identified in the study on Part 23 small airplane certification 
sponsored by the FAA [63]. As aircraft systems are designed for their intended operations and 
customers, their optimum balance of operational effectiveness and efficiency varies. As 
observed in the Part 23 study, given today’s spectrum of available aviation technologies, flight 
performance and design complexity are not correlated in the aircraft fleet. Thus, in effect, 
increased operational effectiveness is correlated with increased flight performance and increased 
complexity of design, both functional and physical, but performance and complexity are loosely 


correlated (Figure 40). 
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Figure 40: Aircraft system performance and complexity space with increasing effectiveness 


These measures of AS performance and complexity are significant from a safety standpoint 
because they are critical factors in the potential severity and likelihood of mishaps. As stated 
previously, relative to the operational environment, the operation of the aircraft itself can be a 
hazard as the potential proximate cause of a mishap involving people, property, and other 
aircraft. The AS hazards of interest are hazardous controlled flight and uncontrolled flight, 
which can lead to FIT and LOS. To assess the safety risk of an operation, we need to consider 
the causes and effects of AS hazards (Figure 41). As described in Section 4.2, the safety risk 
factors are: hazard risk, which is a combination of hazard likelihood and severity (i.e., the worst 
possible mishap with the environment in its most unfavorable state); exposure; and likelihood of 
mishap given that the hazard has occurred [26]. The exposure and mishap likelihood are 
determined by the space and time distributions of the mission actions and the environment 
entities, both on the ground and in the air (i.e., what is exposed to the hazard and for how long). 
The severity of the hazard is determined by the level of performance of the aircraft, in terms of 
measures such as mass and energy, and the space and time distribution characteristics of persons, 
property, and aircraft in the operational environment. The hazard likelihood is determined by the 
gap between required and available capabilities, the complexity of the physical and functional 
design of the AS, and the aleatory and epistemic uncertainties about the structure and behavior of 


the technical system, its components, and the flight crew. 
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Figure 41: Aircraft system as a hazard in the operational environment 


There are many possible ways of achieving an acceptable level of operational safety. The 
general conceptual approach is to start with a risk evaluation for a baseline configuration of 
mission, aircraft system, and environment, and then introduce risk mitigation contributions from 
these until the ALOS level is reached. This is illustrated in Figure 42. Figure 43 illustrates a 
situation in which an environment constraint is introduced in order to eliminate mishap severities 
above a level Seny that have an unacceptable likelihood. In this example case, only one element 
of the operation contributed to the risk mitigation and all others remain at their baseline 
configuration. Note that likelihood reductions to reach ALOS can be achieved by design and 
operational reductions in aleatory and epistemic uncertainties, as well as the introduction of 


hazard prevention and protection barriers, as discussed in Section 4.2. 
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Figure 42: Achieving ALOS with multiple risk mitigation contributions 
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Figure 43: Achieving ALOS with environment limitations 
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Figure 44: Scope of hazard severity and complexity as AS performance and complexity increase 


The AS performance and complexity are directly related to the hazard severity and 
complexity. As the system performance and complexity increase so do the hazard severity and 
complexity (Figure 44). Given the inverse risk relation for ALOS, an increase in the scope of the 
system performance and complexity results in a simultaneous increase in hazard severity and a 
corresponding decrease in acceptable uncertainty. This means that the safety effort, in terms of 
size and rigor, must increase, potentially exponentially, as protective features are introduced to 
account for the increase in the number, modes, and interrelation of relevant hazard causes (i.e., 


the hazard complexity). Figure 45 illustrates this increase in unacceptable risks and safety effort 
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as AS performance and complexity increase. As shown in Figure 46, as the safety effort 
increases with performance and complexity, the achieved AS risk mitigation decreases rapidly at 


first but becomes increasingly ineffective and the cost of the effort increases exponentially. 
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Figure 45: Increasing area of unacceptable risk as AS performance and complexity increase 
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Figure 46: Relation of safety risk and cost with safety effort 


In summary, it appears that there are multiple ways to achieve operational ALOS with 
combinations of risk mitigations in the mission, the environment, and the aircraft system. For a 


given AS, ALOS might be achieved with mitigations in the mission and the environment, but 
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this may require precluding whole categories of mission and environment complexity and/or 
vulnerabilities (i.e., exposed valuable assets). For unconstrained missions and environments, 
operational ALOS requires that risk mitigation be achieved entirely with the AS. Aircraft 
performance and design complexity, both physical and functional, are the primary determinants 
of AS safety risk. As the unmitigated risk of the AS increases, the required safety effort and the 


cost of the effort increase rapidly, potentially exponentially. 


6. Recommendations 


Two recommendations come out of the preceding analysis. 


Recommendation 1: The regulations should allow compliance with ALOS objectives using 
a combination of risk mitigation contributions from the mission, the environment, and the 


aircraft system. 


This recommendation would enable approval of a wide range of activities and the full 
exploitation of the potential benefits of unmanned aviation. This approach would be aligned 
with the desire from regulators and industry that the regulations be operation-centric, safety-risk- 
based, proportionate, and performance-based. The implementation of mission and operational 


restrictions would allow a variety of performance and cost options for realizing UA applications. 


A potential drawback of this recommendation is the complexity of the regulatory approval 
process and the increased complexity of the airspace. The potential complexity of the regulatory 
process could be mitigated by developing standard classifications of missions, environments, and 
aircraft systems that combined cover the majority of cases with a standardized and well- 
understood approval process. Exceptional situations would be handled with a customized 
approval process. The mission and environment classifications would correspond to airspace 
and ground-space sectors with limitations in the kinds of missions that can be performed and the 


kinds of aircraft that may operate in the sectors based on level of safety requirements. 


Recommendation 2: Unmanned aircraft should be classified based on an ordinal scale that 


combines hazard severity and hazard complexity. 
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The boundaries of the classes should correspond to required levels of safety defined based on 
a partitioning of the safety effort vs. cost and risk relations. Figure 47 shows one classification 
concept that partitions the risk vs. safety-effort relation into three regions: low (C), medium (B), 
and high (A) effort, where the threshold points are referenced to the approximate areas where the 
risk curve exhibits high, medium, and low risk-reduction-to-effort return, respectively. The 
meaning of risk used here is the probability (1.e., likelihood) that an unfavorable outcome is 
realized [22]. These risk likelihood regions are mapped to the ALOS risk curve, and then to the 
hazard severity and complexity space, where regions A, B, and C are defined. Additional 
criteria would be needed to define the hazard complexity thresholds between the three regions. 
One possibility is to map these to the performance and design complexity space, where practical 


AS features could be used as criteria to define the thresholds. 
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Figure 47: Notional AS classification based on risk levels 
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7. Final Remarks 


The feedback received to date from subject matter experts (SME) on the recommendation for 
a risk-based classification of unmanned aircraft has been very positive. Although much of the 
study was developed at a conceptual level, this approach allowed a broad examination of 
relevant topics to the generation and justification of the classification scheme. However, much 
work remains to evolve, refine, and make the classification practical. It was recommended by 
SMEs that the study be continued to investigate further the UA classification problem and 
identify more specific and practical classification criteria and thresholds for a suitable basis for 


airworthiness certification. 


To that end, the next step in the continuation of this study will be to develop a much deeper 
practical understanding of aircraft technology and certification. The current study did not 
investigate in sufficient depth the practical aspects of actually using regulations to certify aircraft 
and approve operations. There are human and organizational factors that determine the 
effectiveness and efficiency of certification processes which warrant a much closer examination. 
The matter of international harmonization is necessarily as strong factor in the acceptability and 
practicality of a classification and deserves a closer analysis. A much deeper understanding of 
short and long-term implications of a classification to the development of the industry is needed. 
Also, consultation with a larger number of subject matter experts would be advantageous in 
order to gain a broader and deeper understanding of the problem and desirable attributes of a 


solution. 
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